Contents

NAT overview·· 1

Basic NAT concepts· 1

Basic NAT operating mechanism·· 1

NAT applications· 2

Traditional NAT· 2

Twice NAT· 2

Bidirectional NAT· 2

NAT hairpin· 2

NAT DNS mapping· 2

NAT control 3

NAT translation methods· 3

Static NAT· 3

Dynamic NAT· 3

NAT Server 4

NAT entries and relation entries· 5

NAT session entry· 5

EIM entry· 5

NO-PAT entry· 5

Relation entry· 6

VRF-aware NAT· 6

NAT ALG·· 6

Device access with overlapping addresses· 6

Configuring twice NAT· 6

Configuring outbound bidirectional NAT for internal-to-external access through domain name· 7

Configuring NAT· 8

Restrictions and guidelines: NAT configuration· 8

Interface-based NAT tasks at a glance· 8

Configuring static NAT· 9

Restrictions and guidelines for static NAT configuration· 9

Prerequisites for static NAT configuration· 9

Configuring outbound one-to-one static NAT· 9

Configuring outbound net-to-net static NAT· 10

Configuring dynamic NAT· 10

Restrictions and guidelines for dynamic NAT configuration· 10

Prerequisites for dynamic NAT configuration· 10

Configuring outbound dynamic NAT· 11

Configuring NAT server mappings· 12

About NAT server mappings· 12

Configuring common NAT server mappings on an interface· 12

Configuring load sharing NAT server mappings on an interface· 13

Configuring ACL-based NAT server mappings on an interface· 14

Configuring NAT address groups for different VPNs to share address ranges· 14

Specifying a NAT processing service card· 15

Configuring NAT hairpin· 15

Configuring NAT DNS mapping· 16

Configuring NAT ALG·· 16

Configuring NAT logging and SNMP notifications· 17

Configuring NAT session logging· 17

Display and maintenance commands for NAT· 17

NAT configuration examples· 19

Example: Configuring outbound one-to-one static NAT· 19

Example: Configuring outbound dynamic NAT (non-overlapping addresses) 21

Example: Configuring NAT Server for external-to-internal access· 24

Example: Configuring NAT Server for external-to-internal access through domain name· 27

Example: Configuring NAT hairpin in C/S mode· 31

Example: Configuring load sharing NAT Server 34

Example: Configuring NAT DNS mapping· 37

Example: Configuring NAT log export to the information center 40

Example: Configuring NAT log export to the log server 41

 

NAT overview

Network Address Translation (NAT) translates an IP address in the IP packet header to another IP address. Typically, NAT is configured on gateways to enable private hosts to access external networks and external hosts to access private network resources such as a Web server.

Basic NAT concepts

The following describes basic NAT concepts:

·     NAT device—A device configured with NAT. Typically, NAT is configured on the edge device that connects the internal and external networks.

·     NAT interface—An interface configured with NAT.

·     NAT rule—A rule that NAT follows to translate addresses.

·     NAT address—A public IP address used for address translation, and this address is reachable from the external network. The NAT address can be manually assigned or dynamically obtained.

·     NAT entry—Stores the mapping between a private IP address and a public IP address. For more information, see "NAT entries."

·     Easy IP—Uses the IP address of an interface as the NAT address. The IP address of the interface can be manually assigned or be obtained through DHCP or PPPoE.

Basic NAT operating mechanism

Figure 1 shows the basic NAT operating mechanism.

1.     Upon receiving a request from the host to the server, NAT translates the private source address 192.168.1.3 to the public address 20.1.1.1 and forwards the NATed packet. NAT adds a mapping for the two addresses to its NAT table.

2.     Upon receiving a response from the server, NAT translates the destination public address to the private address, and forwards the packet to the host.

The NAT operation is transparent to the terminals (the host and the server). NAT hides the private network from the external users and shows that the IP address of the internal host is 20.1.1.1.

Figure 1 Basic NAT operation

‌

NAT applications

Traditional NAT

Traditional NAT is configured on the interface that connects to the public network. It translates the source IP addresses of outgoing packets and destination IP addresses of incoming packets.

Twice NAT

Twice NAT translates the destination IP address on the receiving interface, and the source IP address on the sending interface. The receiving and sending interfaces are both NAT interfaces.

Twice NAT allows VPNs with overlapping addresses to access each other.

Bidirectional NAT

NAT translates the source and destination IP addresses of incoming packets on the receiving interface and outgoing packets on the sending interface.

Bidirectional NAT supports active access to external network resources from internal users when the internal and external IP addresses overlap.

NAT hairpin

NAT hairpin allows internal hosts to access each other through NAT. The source and destination IP address of the packets are translated on the interface connected to the internal network.

NAT hairpin includes P2P and C/S modes:

·     P2P—Allows internal hosts to access each other through NAT. The internal hosts first register their public addresses to an external server. Then, the hosts communicate with each other by using the registered IP addresses.

·     C/S—Allows internal hosts to access internal servers through NAT addresses. The destination IP address of the packet going to the internal server is translated by matching the NAT Server configuration. The source IP address is translated by matching the outbound dynamic or static NAT entries.

NAT DNS mapping

The DNS server is typically on the public network. For the users on the public network to access an internal server, you can configure the NAT Server feature on the NAT interface that connects to the public network. The NAT Server maps the public IP address and port number to the private IP address and port number of the internal server. Then the public users can access the internal server through the server's domain name or public IP address.

When a user is in the private network, the user cannot access the internal server by using the domain name of the server. This is because the DNS response contains the public IP address of the server. In this case, you can configure NAT DNS mapping to solve the problem.

Figure 2 NAT DNS mapping

‌

As shown in Figure 2, NAT DNS mapping works as follows:

1.     The host sends a DNS request containing the domain name of the internal Web server.

2.     Upon receiving the DNS response, the NAT device performs a DNS mapping lookup by using the domain name in the response. A NAT DNS mapping maps the domain name to the public IP address, public port number, and the protocol type for the internal server.

3.     If a match is found, the NAT continues to compare the public address, public port number, and the protocol type with the NAT Server configuration. The NAT Server configuration maps the public IP address and port number to the private IP address and port number for the internal server.

4.     If a match is found, NAT translates the public IP address in the response into the private IP address of the Web server.

5.     The internal host receives the DNS response, and obtains the private IP address of the Web server.

NAT control

You can use ACLs to implement NAT control. The match criteria in the ACLs include the source IP address, source port number, destination IP address, destination port number, transport layer protocol, user group, and VPN instance. Only packets permitted by an ACL are processed by NAT.

NAT translation methods

Static NAT

Static NAT creates a fixed mapping between a private address and a public address. It supports connections initiated from internal users to external network and from external users to the internal network. Static NAT applies to regular communications.

Dynamic NAT

Dynamic NAT uses an address pool to translate addresses. It applies to the scenario where a large number of internal users access the external network.

NO-PAT

Not Port Address Translation (NO-PAT) translates a private IP address to an IP public address. The public IP address cannot be used by another internal host until it is released.

NO-PAT supports all IP packets.

PAT

Port Address Translation (PAT) translates multiple private IP addresses to a single public IP address by mapping the private IP address and source port to the public IP address and a unique port. PAT supports TCP and UDP packets, and ICMP request packets.

Figure 3 PAT operation

‌

As shown in Figure 3, PAT translates the source IP addresses of the three packets to the same IP public address and translates their port numbers to different port numbers. Upon receiving a response, PAT translates the destination address and port number of the response, and forwards it to the target host.

PAT supports the following mappings:

·     Endpoint-Independent Mapping (EIM)—Uses the same IP and port mapping (EIM entry) for packets from the same source IP and port to any destinations. EIM allows external hosts to initiate connections to the translated IP addresses and ports of internal hosts. It allows internal hosts behind different NAT gateways to access each other.

·     Connection-Dependent Mapping—Uses the same IP and port mapping for packets of the same connection. Different IP and port mappings are used for different connections although the connections might have the same source IP address and port number. It is secure because it allows an external host to access an internal host only under the condition that the internal host has previously accessed the external host.

NAT Server

The NAT Server feature maps a public address and port number to the private IP address and port number of an internal server. This feature allows servers in the private network to provide services for external users.

Figure 4 shows how NAT Server works:

1.     Upon receiving a request from the host, NAT translates the public destination IP address and port number to the private IP address and port number of the internal server.

2.     Upon receiving a response from the server, NAT translates the private source IP address and port number to the public IP address and port number.

Figure 4 NAT Server operation

‌

NAT entries and relation entries

NAT session entry

NAT creates a NAT session entry for a session and creates an address mapping for the first packet in the session.

A NAT session entry contains extended NAT information, such as interface and translation method. Subsequent packets of the session are translated by using this entry.

·     If the direction of the subsequent packets is the same as the direction of the first translated packet, NAT performs the source and destination address translation the same as the first packet.

·     If the direction of the subsequent packets is opposite to the direction of the first translated packet, NAT perform reverse address translation. For example, if the source address of the first packet is translated, then the destination address of the subsequent packets is translated.

The session management module maintains the updating and aging of NAT session entries. For information about session management, see Security Configuration Guide.

EIM entry

If EIM is configured on the NAT device, the PAT mode will first create a NAT session entry, and then an EIM entry. The EIM entry is a 3-tuple entry, and it maps a private address/port to a public address/port. The EIM entry ensures:

·     Subsequent new connections originating from the same source IP and port uses the same translation as the initial connection.

·     Translates the address for new connections initiated from external hosts to the NAT address and port number based on the EIM entry.

An EIM entry ages out after all related NAT session entries age out.

NO-PAT entry

A NO-PAT entry maps a private address to a public address. The same mapping applies to subsequent connections originating from the same source IP.

A NO-PAT entry can also be created during the ALG process for NAT. For information about NAT ALG, see "NAT ALG."

A NO-PAT entry ages out after all related NAT session entries age out.

Relation entry

NAT ALG translates the IP addresses or port numbers contained in the payload of application-layer packets. On receiving the first packet, the NAT device enabled with ALG creates a relation entry to record the address information carried in the packet. Subsequent packets of the session are translated by using this entry. The address and port information after NAT is used to establish a dynamic channel, and subsequent connections that match the address information will transmit data through the dynamic channel. For more information about relation entries, see session management in Security Configuration Guide.

VRF-aware NAT

VRF-aware NAT allows users from different VRF (VPN instances) to access external networks and to access each other.

1.     Upon receiving a request from a user in a VRF to an external network, NAT performs the following tasks:

¡     Translates the private source IP address and port number to a public IP address and port number.

¡     Records the VRF information, such as the VRF name.

2.     When a response packet arrives, NAT performs the following tasks:

¡     Translates the destination public IP address and port number to the private IP address and port number.

¡     Forwards the packet to the target VRF.

The NAT Server feature supports VRF-aware NAT for external users to access the servers in a VPN instance. For example, to enable a host at 10.110.1.1 in VPN 1 to provide Web services for Internet users, configure NAT Server to use 202.110.10.20 as the public IP address of the Web server.

NAT ALG

NAT ALG (Application Level Gateway) translates address or port information in the application layer payloads to ensure connection establishment.

For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT ALG to translate the address and port information for data connection establishment.

Device access with overlapping addresses

Configuring twice NAT

As shown in Figure 5, two hosts are in different VPN instances with overlapping addresses. For the hosts to access each other, both the source and destination addresses of packets between the two VPNs need to be translated. Configure static NAT on both interfaces connected to the VPNs on the NAT device.

1.     Configure a static outbound NAT mapping between 192.168.1.1 in VPN 1 and 172.16.1.1 in VPN 2.

2.     Configure a static outbound NAT mapping between 192.168.1.1 in VPN 2 and 172.16.2.1 in VPN 1.

3.     When the twice NAT takes effect, the hosts can access each other.

Figure 5 VPN access with overlapping address

 

Configuring outbound bidirectional NAT for internal-to-external access through domain name

As shown in Figure 6, the IP address of the Web server overlaps with the private host at 192.168.1.0/24. Configure dynamic NAT ALG and outbound dynamic NAT to allow the internal host to access the external Web server by using the server's domain name.

1.     The host sends a DNS request to the DNS server in the external network.

2.     After receiving a DNS reply, the NAT device with NAT ALG configured translates the Web server's IP address in the DNS reply payload to a dynamically assigned public address 10.1.1.1.

3.     Configure inbound dynamic NAT ALG to make sure the internal host reaches the Web server instead of another internal host. NAT ALG can translate the Web server's IP address in the DNS reply payload to a dynamically assigned public address 10.1.1.1.

4.     After receiving the DNS reply from the NAT device, the host sends a packet with the source IP address 192.168.1.1 and destination IP address 10.1.1.1.

5.     The NAT device with outbound dynamic NAT configured translates the source IP address of the packet to a dynamically assigned public address 20.1.1.1. NAT ALG translates the destination IP address of the packet to the IP address of the Web server.

Figure 6 Internal-to-external access through domain name

‌

Configuring NAT

Restrictions and guidelines: NAT configuration

The general restrictions and guidelines are as follows:

·     If you perform all the translation methods, the NAT rules are sorted in the following descending order:

a.     NAT Server.

b.     Static NAT.

c.     NAT static port blocking mapping.

d.     Dynamic NATand NAT dynamic block mapping.

Dynamic NAT rules and NAT dynamic port block mapping rules are sorted in descending order of ACL numbers and are effective for IPv4 packets.

·     After NAT is configured, editing the ACL rule in a QoS policy affects only subsequent traffic and does not affect the NATed traffic.

·     When you use a QoS policy configured in modular QoS configuration (MQC) approach to redirect traffic to a NAT instance, the device works as follows:

If the QoS policy applied to an interface and the policy-based routing configured on the interface matches the same traffic (for example, they reference the same ACL rule), the policy-based routing configuration takes effect. The device does not match the traffic with the QoS policy.

·     After you switch the traffic redirecting action to redirecting traffic to a specified card, or from redirecting to a specified card to another redirecting action, clear the fast forwarding table for the card by using the reset ip fast-forwarding cache slot command.

If all equal-cost output interfaces are configured with interface-based NAT, make sure the NAT configurations on all them are the same. If the NAT configurations are different, NAT uses the NAT configuration on only one interface for address translation, leading to unexpected results and NAT address waste.

Interface-based NAT tasks at a glance

To configure NAT on an interface, perform the following tasks:

1.     Configuring a translation method, port allocation, and port block allocation on an interface

¡     Configuring static NAT

¡     Configuring outbound dynamic NAT for interface-based NAT

¡     Configuring common NAT server mappings on an interface

¡     Configuring load sharing NAT server mappings on an interface

¡     Configuring ACL-based NAT server mappings on an interface

2.      

3.     Specifying a slot for processing NAT services

¡     Specifying a NAT processing service card

To use a NAT-capable service card for NAT service processing, specify this service card on an interface with NAT configured.

4.     (Optional.) Configuring NAT address groups for different VPNs to share address ranges

5.     (Optional.) Configuring NAT hairpin

6.     (Optional.) Configuring NAT DNS mapping

7.     (Optional.) Configuring NAT ALG

8.     (Optional.) Configuring NAT logging and SNMP notifications

Configuring static NAT

Restrictions and guidelines for static NAT configuration

Typically, configure inbound static NAT with outbound dynamic NAT, NAT Server, or outbound static NAT to implement bidirectional NAT.

Prerequisites for static NAT configuration

Before configuring static NAT, you must perform the following tasks:

·     Configure an ACL to identify the IP addresses to be translated. For more information about ACLs, see ACL and QoS Configuration Guide.

·     Manually add a route for inbound static NAT. Use local-ip or local-network as the destination address, and use global-ip, an address in global-network, or the next hop directly connected to the output interface as the next hop.

Configuring outbound one-to-one static NAT

About this task

For address translation from a private IP address to a public IP address, configure outbound one-to-one static NAT on the interface connected to the external network.

·     When the source IP address of a packet from the private network matches the local-ip, the source IP address is translated into the global-ip.

·     When the destination IP address of a packet from the public network matches the global-ip, the destination IP address is translated into the local-ip.

Configuring outbound one-to-one static NAT on an interface

1.     Enter system view.

system-view

2.     Configure a one-to-one mapping for outbound static NAT.

nat static outbound local-ip [ vpn-instance local-vpn-instance-name ] global-ip [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ]

3.     Enter interface view.

interface interface-type interface-number

4.     Enable static NAT on the interface.

nat static enable

By default, static NAT is disabled.

Configuring outbound net-to-net static NAT

About this task

For address translation from a private network to a public network, configure outbound net-to-net static NAT on the interface connected to the external network.

·     When the source IP address of a packet from the private network matches the private address range, the source IP address is translated into a public address in the public address range.

·     When the destination IP address of a packet from the public network matches the public address range, the destination IP address is translated into a private address in the private address range.

Configuring outbound net-to-net static NAT on an interface

1.     Enter system view.

system-view

2.     Configure a net-to-net mapping for outbound static NAT.

nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local-vpn-instance-name ] global global-network { mask-length | mask } [ vpn-instance global-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } [ reversible ] ]

3.     Enter interface view.

interface interface-type interface-number

4.     Enable static NAT on the interface.

nat static enable

By default, static NAT is disabled.

Configuring dynamic NAT

Restrictions and guidelines for dynamic NAT configuration

You can configure multiple inbound or outbound dynamic NAT rules.

·     A NAT rule with an ACL takes precedence over a rule without any ACL.

·     If two ACL-based dynamic NAT rules are configured, the rule with the higher ACL number has higher priority.

·     In the NAT and BRAS unification scenario, the device goes through NAT rules on all the interfaces in ascending order of interface index after a user passes authentication. When a packet matches an ACL permit rule on an interface with smaller interface index, the matching process stops. To avoid incorrect traffic matching and translation, configure ACL rules in the NAT rules appropriately.

Prerequisites for dynamic NAT configuration

Before configuring dynamic NAT, you must perform the following tasks:

·     Configure an ACL to identify the IP addresses to be translated. For more information about ACLs, see ACL and QoS Configuration Guide.

·     Determine whether to enable the Easy IP feature. If you use the IP address of an interface as the NAT address, you are configuring Easy IP.

·     Determine a public IP address range for address translation.

·     Determine whether to translate port numbers. Use NO-PAT to translate only IP addresses and PAT to translate both IP addresses and port numbers.

Configuring outbound dynamic NAT

About this task

Outbound dynamic NAT translates private IP addresses into public IP addresses.

Restrictions and guidelines

Interface-based outbound dynamic NAT is typically configured on the interface connected to the external network.

Configuring outbound dynamic NAT for interface-based NAT

1.     Enter system view.

system-view

2.     (Optional.) Specify the Endpoint-Independent Mapping mode for outbound dynamic PAT.

nat mapping-behavior endpoint-independent { tcp [ tcp-5-tuple ] | udp [ udp-5-tuple ] } *

The default mapping mode is Connection-Dependent Mapping.

This command takes effect only on outbound PAT.

3.     Create a NAT address group and enter its view.

nat address-group group-id [ vpn-instance vpn-instance-name ]

4.     Add an address range to the address group.

address start-address end-address

By default, an address group does not have any address ranges.

You can add multiple address ranges to an address group, but the address ranges must not overlap.

5.     Return to system view.

quit

6.     Enter interface view.

interface interface-type interface-number

7.     Configure outbound dynamic NAT on the interface. Choose the options to configure as needed:

¡     Configure NO-PAT.

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] address-group group-id [ vpn-instance vpn-instance-name ] no-pat [ reversible ]

¡     Configure PAT.

nat outbound [ ipv4-acl-number | name ipv4-acl-name ] [ address-group group-id ] [ vpn-instance vpn-instance-name ] [ port-preserved ]

You can configure multiple outbound dynamic NAT rules on an interface.

 

Parameter	Description
address-group	If you do not specify this keyword, the IP address of the interface is used as the NAT address. Easy IP is implemented.
no-pat reversible	If you specify these keywords, you enable reverse address translation. Reverse address translation uses existing NO-PAT entries to translate the destination address for connections actively initiated from the external network to the internal network. The destination address is translated into the private IP address in the matching NO-PAT entry.

‌

Configuring NAT server mappings

About NAT server mappings

Typically, the NAT Server feature is configured on the interface connected to the external network to allow servers in the private network or VPN instance to provide services for external users. It maps a public IP address and port number to the private IP address and port number of the internal server.

The NAT Server feature can be implemented by the following methods:

·     Common NAT server mappings—Maps the private IP address and the port number of the internal server to a public IP address and a port number. This method allows external hosts to access the internal server by using the specified public IP address.

·     Load sharing NAT server mappings—You can add multiple internal servers to an internal server group so that these servers provide the same service for external hosts. The NAT device chooses one internal server based on the weight and number of connections of the servers to respond to a request from an external host to the public address of the internal server group.

·     ACL-based NAT server mappings—An extension of common NAT server mapping. A common NAT server mapping maps the private IP address of the internal server to a single public IP address. An ACL-based NAT server mapping the private IP address of the internal server to a set of public IP addresses defined by an ACL. If the destination address of a packet matches a permit rule in the ACL, the destination address is translated into the private IP address of the internal server.

Configuring common NAT server mappings on an interface

Restrictions and guidelines

Typically, interface-based NAT server mappings are configured on the interface connected to the external network.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure common NAT server mappings. Choose the options to configure as needed:

¡     A single public address with a single or no public port:

nat server [ protocol pro-type ] global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-vpn-instance-name ] inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ] [ reversible ]

¡     A single public address with consecutive public ports:

nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } global-port1 global-port2 [ vpn-instance global-vpn-instance-name ] inside { { local-address | local-address1 local-address2 } local-port | local-address local-port1 local-port2 } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]

¡     Consecutive public addresses with no public port:

nat server protocol pro-type global global-address1 global-address2 [ vpn-instance global-vpn-instance-name ] inside { local-address | local-address1 local-address2 } [ local-port ] [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]

¡     Consecutive public addresses with a single public port:

nat server protocol pro-type global global-address1 global-address2 global-port [ vpn-instance global-vpn-instance-name ] inside { local-address [ local-port1 local-port2 ] | [ local-address | local-address1 local-address2 ] [ local-port ] } [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]

You can configure multiple NAT server mappings on an interface.

Configuring load sharing NAT server mappings on an interface

Restrictions and guidelines

When you configure load shared internal servers, you must make sure a user uses the same public address and public port to access the same service on an internal server. For this purpose, make sure value N in the following mappings is equal to or less than the number of servers in the internal server group:

·     One public address and N consecutive public port numbers are mapped to one internal server group.

·     N consecutive public addresses and one public port number are mapped to one internal server group.

Procedure

1.     Enter system view.

system-view

2.     Create a NAT Server group and enter its view.

nat server-group group-id

By default, no NAT Server groups exist.

3.     Add an internal server into the group.

inside ip inside-ip port port-number [ weight weight-value ]

You can add multiple internal servers to a group.

4.     Return to system view.

quit

5.     Enter interface view.

interface interface-type interface-number

6.     Configure load sharing NAT server mapping.

nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-vpn-instance-name ] inside server-group group-id [ vpn-instance local-vpn-instance-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } ]

You can configure multiple load sharing NAT server mappings on an interface.

Configuring ACL-based NAT server mappings on an interface

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure ACL-based NAT server mapping.

nat server global { ipv4-acl-number | name ipv4-acl-name } inside local-address [ local-port ] [ vpn-instance local-vpn-instance-name ]

You can configure multiple NAT server mappings on an interface.

Configuring NAT address groups for different VPNs to share address ranges

About this task

To help telecommunication service providers (TSPs) reuse public IP addresses among different VPNs for conservation of limited IPv4 address resources, perform this task.

This task enables you to bind NAT address groups that contain overlapping address ranges to different VPN instances.

As shown in Figure 7, create address group 1 and address group 2 on the NAT device. Bind address group 1 to VPN 1, and address group 2 to VPN 2. The address ranges in the address groups can overlap.

Figure 7 Network diagram

 

Restrictions and guidelines

You can bind a NAT address group to a VPN instance when you perform either of the following tasks, but not both:

·     Execute the nat address-group command to create the address group.

·     Specify the address group for dynamic NAT.

If the NAT address group has been bound to a VPN instance when you perform either of the tasks, you cannot specify a VPN instance for it.

Procedure

1.     Enter system view.

system-view

2.     Create a NAT address group and bind it to a VPN instance.

nat address-group group-id vpn-instance vpn-instance-name

Specifying a NAT processing service card

About this task

To use a NAT-capable service card for NAT service processing, specify this service card on an interface with NAT configured. NAT traffic on this interface will be redirected to the service card for processing.

Prerequisites

Before you configure a NAT processing service card, perform the following tasks:

1.     Create a QoS policy. The traffic class matches the NAT service traffic and the traffic behavior redirects the NAT service traffic to the service card.

2.     Apply the QoS policy to the input interface on the device.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Specify a NAT processing service card.

In standalone mode:

nat service slot slot-number

In IRF mode:

nat service chassis chassis-number slot slot-number

By default, no NAT processing service card is specified.

Configuring NAT hairpin

Restrictions and guidelines

NAT hairpin works in conjunction with NAT Server, outbound dynamic NAT, or outbound static NAT. To provide service correctly, you must configure NAT hairpin on the same interface module as its collaborative NAT feature.

To configure the P2P mode, you must configure outbound PAT on the interface connected to the external network and enable the EIM mapping mode.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable NAT hairpin.

nat hairpin enable

By default, NAT hairpin is enabled and cannot be disabled.

Configuring NAT DNS mapping

Restrictions and guidelines

NAT DNS mapping works in conjunction with NAT Server. NAT DNS mapping maps the domain name of an internal server to the public IP address, public port number, and protocol type of the internal server. NAT Server maps the public IP and port to the private IP and port of the internal server.

Procedure

1.     Enter system view.

system-view

2.     Configure a NAT DNS mapping.

nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port

You can configure multiple NAT DNS mappings.

Configuring NAT ALG

About this task

NAT ALG translates address or port information in the application layer payloads to ensure connection establishment.

For protocol packets in different scenarios, enable the ALG feature as follows:

·     For protocol packets received or sent by non-PPPoE agency users, enable NAT ALG for related protocols by using the nat alg command.

·     For protocol packets received or sent by PPPoE agency users, enable ALG for the protocol packets by using the nat user-agency alg command. For more information about PPPoE agency, see PPP configuration in BRAS Services Configuration Guide.

Restrictions and guidelines

In Connection-Dependent Mapping mode, the number of connections to ports in a port block might be larger than the port block size set by the block-size command if you configure NAT ALG. This is normal and needs no actions. To view the number of connections to ports in a port block, execute the display nat port-block command.

The nat user-agency alg command is supported only in standard system operating mode.

Procedure

1.     Enter system view.

system-view

2.     Enable NAT ALG. Choose one of the options as needed:

¡     Configure NAT ALG for a protocol or all protocols.

nat alg { all | dns | ftp | h323 | icmp-error | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }

By default, NAT ALG is disabled for all supported protocols except for FTP, ICMP error packets, and RTSP.

¡     Configure ALG for PPPoE agency user packets.

nat user-agency alg { all | ftp | icmp-error | sip }

For PPPoE agency users, ALG is enabled for FTP and ICMP error packets and disabled for SIP packets by default.

Configuring NAT logging and SNMP notifications

Configuring NAT session logging

About this task

NAT session logging records NAT session information, including translation information and access information.

A NAT device generates NAT session logs for the following events:

·     NAT session establishment.

·     NAT session removal. This event occurs when you add a configuration with a higher priority, remove a configuration, change ACLs, when a NAT session ages out, or when you manually delete a NAT session.

·     Active NAT session logging.

Procedure

1.     Enter system view.

system-view

2.     Enable NAT logging.

nat log enable [ acl { ipv4-acl-number | name ipv4-acl-name } ]

By default, NAT logging is disabled.

3.     Enable NAT session logging.

¡     For NAT session establishment events:

nat log flow-begin

¡     For NAT session removal events:

nat log flow-end

¡     For active NAT flows:

nat log flow-active minutes

By default, NAT session logging is disabled.

Display and maintenance commands for NAT

Execute display commands in any view and reset commands in user view.

 

Task	Command
Display all NAT configuration information.	display nat all
Display NAT address group information.	display nat address-group [ group-id ] [ resource-usage [ verbose ] ]
Display NAT DNS mapping configuration.	display nat dns-map
Display information about NAT EIM entries.	In standalone mode: display nat eim [ slot slot-number ] [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] In IRF mode: display nat eim [ chassis chassis-number slot slot-number ] [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ]
Display NAT EIM entry statistics.	In standalone mode: display nat eim statistics [ slot slot-number ] In IRF mode: display nat eim statistics [ chassis chassis-number slot slot-number ]
Display NAT logging configuration.	display nat log
Display information about NAT NO-PAT entries.	In standalone mode: display nat no-pat [ slot slot-number ] In IRF mode: display nat no-pat [ chassis chassis-number slot slot-number ]
Display outbound dynamic NAT configuration.	display nat outbound
Display NAT server mappings.	display nat server
Display internal server group configuration.	display nat server-group [ group-id ]
Display NAT sessions.	In standalone mode: display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn -instance-name ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ slot slot-number ] [ brief | verbose ] In IRF mode: display nat session [ { source-ip source-ip | destination-ip destination-ip } * [ vpn-instance vpn -instance-name ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ chassis chassis-number slot slot-number ] [ brief | verbose ]
Display static NAT mappings.	display nat static
Display NAT statistics.	In standalone mode: display nat statistics [ summary ] [ slot slot-number ] In IRF mode: display nat statistics [ summary ] [ chassis chassis-number slot slot-number ]
Delete NAT EIM entries.	In standalone mode: reset nat eim [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] [ slot slot-number ] In IRF mode: reset nat eim [ protocol { icmp | tcp | udp } ] [ local-ip { b4 ipv6-address | local-ip } ] [ local-port local-port ] [ global-ip global-ip ] [ global-port global-port ] [ chassis chassis-number slot slot-number ]
Clear NAT sessions.	In standalone mode: reset nat session [ protocol { tcp | udp } ] [ slot slot-number ] In IRF mode: reset nat session [ protocol { tcp | udp } ] [ chassis chassis-number slot slot-number ]

‌

NAT configuration examples

Example: Configuring outbound one-to-one static NAT

Network configuration

Configure static NAT to allow the host at 10.110.10.8/24 to access the Internet.

Figure 8 Network diagram

‌

Procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure ACL 2001 to identify packets from subnet 10.110.10.0/24.

<Router> system-view

[Router] acl basic 2001

[Router-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Router-acl-ipv4-basic-2001] quit

# Configure a QoS policy to redirect packets matching ACL 2001 to the card in slot 2.

[Router] traffic classifier 1

[Router-classifier-1] if-match acl 2001

[Router-classifier-1] quit

[Router] traffic behavior 1

[Router-behavior-1] redirect slot 2

[Router-behavior-1] quit

[Router] qos policy 1

[Router-qospolicy-1] classifier 1 behavior 1

[Router-qospolicy-1] quit

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] qos apply policy 1 inbound

[Router-GigabitEthernet1/0/1] quit

# Configure a one-to-one static NAT mapping between the private address 10.110.10.8 and the public address 202.38.1.100.

[Router] nat static outbound 10.110.10.8 202.38.1.100

# Enable static NAT on Ten-GigabitEthernet 3/1/2.

[Router] interface ten-gigabitethernet 3/1/2

[Router-Ten-GigabitEthernet3/1/2] nat static enable

# Specify slot 2 to process NAT traffic. The service card slot number varies by device hardware configuration.

[Router-Ten-GigabitEthernet3/1/2] nat service slot 2

[Router-Ten-GigabitEthernet3/1/2] quit

Verifying the configuration

# Verify that the host at 10.110.10.8/24 can access the server on the Internet. (Details not shown.)

# Display static NAT configuration.

[Router] display nat static

Static NAT mappings:

  Totally 1 outbound static NAT mappings.

  IP-to-IP:

    Local IP     : 10.110.10.8

    Global IP    : 202.38.1.100

    Config status: Active

 

Interfaces enabled with static NAT:

  Totally 1 interfaces enabled with static NAT.

  Interface: Ten-GigabitEthernet3/1/2

    Service card : Slot 2

    Config status: Active

# Display NAT session information.

[Router] display nat session verbose

Initiator:

  Source      IP/port: 10.110.10.8/42496

  Destination IP/port: 200.1.1.10/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: Ten-GigabitEthernet3/1/1

Responder:

  Source      IP/port: 200.1.1.10/42496

  Destination IP/port: 202.38.1.100/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: Ten-GigabitEthernet3/1/2

State: ICMP_REPLY

Application: INVALID

Role: -

Failover group ID: -

Start time: 2012-08-16 09:30:49  TTL: 27s

Initiator->Responder:            5 packets        420 bytes

Responder->Initiator:            5 packets        420 bytes

 

Total sessions found: 1

Example: Configuring outbound dynamic NAT (non-overlapping addresses)

Network configuration

As shown in Figure 9, a company has a private address 192.168.0.0/16 and two public IP addresses 202.38.1.2 and 202.38.1.3. Configure outbound dynamic NAT to allow only internal users on subnet 192.168.1.0/24 to access the Internet.

Figure 9 Network diagram

‌

Procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure ACL 2001 to identify packets from subnet 192.168.1.0/24. In this example, the packets redirected to the service card that provides NAT services require address translation. As a result, the ACL rule defined in ACL 2001 is the same as that defined in ACL 2000. You can define different ACL rules as required.

<Router> system-view

[Router] acl basic 2001

[Router-acl-ipv4-basic-2001] rule permit source 192.168.1.0 0.0.0.255

[Router-acl-ipv4-basic-2001] quit

# Configure a QoS policy to redirect packets matching ACL 2001 to the card in slot 2.

[Router] traffic classifier 1

[Router-classifier-1] if-match acl 2001

[Router-classifier-1] quit

[Router] traffic behavior 1

[Router-behavior-1] redirect slot 2

[Router-behavior-1] quit

[Router] qos policy 1

[Router-qospolicy-1] classifier 1 behavior 1

[Router-qospolicy-1] quit

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] qos apply policy 1 inbound

[Router-GigabitEthernet1/0/1] quit

# Configure address group 0, and add an address range from 202.38.1.2 to 202.38.1.3 to the group.

[Router] nat address-group 0

[Router-address-group-0] address 202.38.1.2 202.38.1.3

[Router-address-group-0] quit

# Configure ACL 2000 to identify packets from subnet 192.168.1.0/24.

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Enable outbound dynamic PAT on Ten-GigabitEthernet 3/1/2. The source IP addresses of the packets permitted by the ACL rule is translated into the addresses in address group 0.

[Router] interface ten-gigabitethernet 3/1/2

[Router-Ten-GigabitEthernet3/1/2] nat outbound 2000 address-group 0

# Specify slot 2 to process NAT traffic. The service card slot number varies by device hardware configuration.

[Router-Ten-GigabitEthernet3/1/2] nat service slot 2

[Router-Ten-GigabitEthernet3/1/2] quit

Verifying the configuration

# Verify that Host A can access the WWW server, while Host B cannot. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

 

NAT address group information:

  Totally 1 NAT address groups.

  Address group name/ID: 0/0

    Address information:

      Start address         End address

      202.38.1.2            202.38.1.3

 

NAT outbound information:

  Totally 1 NAT outbound rules.

  Interface: Ten-GigabitEthernet3/1/2

    ACL: 2000         Address group: 0      Port-preserved: N

    NO-PAT: N         Reversible: N

    Service card: Slot 2

    Config status: Active

 

NAT logging:

  Log enable               : Disabled

  Flow-begin               : Disabled

  Flow-end                 : Disabled

  Flow-active              : Disabled

  Port-block-assign        : Disabled

  Port-block-withdraw      : Disabled

  Port-alloc-fail          : Enabled

  Port-block-alloc-fail    : Disabled

  Port-usage               : Disabled

  Port-block-usage         : Enabled(Threshold: 40%)

 

NAT mapping behavior:

  Mapping mode : Connection-Dependent

  ACL          : ---

  Config status: Active

 

NAT ALG:

  DNS        : Disabled

  FTP        : Enabled

  H323       : Disabled

  ICMP-ERROR : Enabled

  ILS        : Disabled

  MGCP       : Disabled

  NBT        : Disabled

  PPTP       : Disabled

  RTSP       : Enabled

  RSH        : Disabled

  SCCP       : Disabled

  SIP        : Disabled

  SQLNET     : Disabled

  TFTP       : Disabled

  XDMCP      : Disabled

# Display NAT session information generated when Host A accesses the WWW server.

[Router] display nat session verbose

Initiator:

  Source      IP/port: 192.168.1.10/52992

  Destination IP/port: 200.1.1.10/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: Ten-GigabitEthernet3/1/1

Responder:

  Source      IP/port: 200.1.1.10/4

  Destination IP/port: 202.38.1.3/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: Ten-GigabitEthernet3/1/2

State: ICMP_REPLY

Application: INVALID

Role: -

Failover group ID: -

Start time: 2012-08-15 14:53:29  TTL: 12s

Initiator->Responder:            1 packets         84 bytes

Responder->Initiator:            1 packets         84 bytes

 

Total sessions found: 1

Example: Configuring NAT Server for external-to-internal access

Network configuration

As shown in Figure 10, two Web servers, one FTP server and one SMTP server are in the internal network to provide services for external users. The internal network address is 10.110.0.0/16. The company has three public IP addresses from 202.38.1.1/24 to 202.38.1.3/24.

Configure the NAT Server feature to allow the external user to use public address 202.38.1.1/24 to access the internal servers.

Figure 10 Network diagram

‌

Procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure ACL 2001 to identify packets from subnet 10.110.10.0/24.

<Router> system-view

[Router] acl basic 2001

[Router-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Router-acl-ipv4-basic-2001] quit

# Configure a QoS policy to redirect packets matching ACL 2001 to the card in slot 2.

[Router] traffic classifier 1

[Router-classifier-1] if-match acl 2001

[Router-classifier-1] quit

[Router] traffic behavior 1

[Router-behavior-1] redirect slot 2

[Router-behavior-1] quit

[Router] qos policy 1

[Router-qospolicy-1] classifier 1 behavior 1

[Router-qospolicy-1] quit

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] qos apply policy 1 inbound

[Router-GigabitEthernet1/0/1] quit

# Enter interface view of Ten-GigabitEthernet 3/1/2.

[Router] interface ten-gigabitethernet 3/1/2

# Configure a NAT server mapping to allow external users to access the FTP server by using the address 202.38.1.1 and port 21.

[Router-Ten-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.1 21 inside 10.110.10.3 ftp

# Configure a NAT server mapping to allow external users to access the Web server 1 by using the address 202.38.1.1 and port 80.

[Router-Ten-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.1 80 inside 10.110.10.1 http

# Configure a NAT server mapping to allow external users to access the Web server 2 by using the address 202.38.1.1 and port 8080.

[Router-Ten-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.1 8080 inside 10.110.10.2 http

# Configure a NAT server mapping to allow external users to access the SMTP server by using the address 202.38.1.1 and port number defined by SMTP.

[Router-Ten-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.1 smtp inside 10.110.10.4 smtp

# Specify slot 2 to process NAT traffic. The service card slot number varies by device hardware configuration.

[Router-Ten-GigabitEthernet3/1/2] nat service slot 2

[Router-Ten-GigabitEthernet3/1/2] quit

Verifying the configuration

# Verify that the host on the external network can access the internal servers by using the public addresses. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

 

NAT internal server information:

  Totally 4 internal servers.

  Interface: Ten-GigabitEthernet3/1/2

    Protocol: 6(TCP)

    Global IP/port: 202.38.1.1/21

    Local IP/port : 10.110.10.3/21

    Service card  : Slot 2

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/1/2

    Protocol: 6(TCP)

    Global IP/port: 202.38.1.1/25

    Local IP/port : 10.110.10.4/25

    Service card  : Slot 2

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/1/2

    Protocol: 6(TCP)

    Global IP/port: 202.38.1.1/80

    Local IP/port : 10.110.10.1/80

    Service card  : Slot 2

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/1/2

    Protocol: 6(TCP)

    Global IP/port: 202.38.1.1/8080

    Local IP/port : 10.110.10.2/80

    Service card  : Slot 2

    Config status : Active

 

NAT logging:

  Log enable               : Disabled

  Flow-begin               : Disabled

  Flow-end                 : Disabled

  Flow-active              : Disabled

  Port-block-assign        : Disabled

  Port-block-withdraw      : Disabled

  Port-alloc-fail          : Enabled

  Port-block-alloc-fail    : Disabled

  Port-usage               : Disabled

  Port-block-usage         : Enabled(Threshold: 40%)

 

NAT mapping behavior:

  Mapping mode : Connection-Dependent

  ACL          : ---

  Config status: Active

 

NAT ALG:

  DNS        : Disabled

  FTP        : Enabled

  H323       : Disabled

  ICMP-ERROR : Enabled

  ILS        : Disabled

  MGCP       : Disabled

  NBT        : Disabled

  PPTP       : Disabled

  RTSP       : Enabled

  RSH        : Disabled

  SCCP       : Disabled

  SIP        : Disabled

  SQLNET     : Disabled

  TFTP       : Disabled

  XDMCP      : Disabled

# Display NAT session information generated when Host accesses the FTP server.

[Router] display nat session verbose

Initiator:

  Source      IP/port: 200.1.1.10/1694

  Destination IP/port: 202.38.1.1/21

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Ten-GigabitEthernet3/1/2

Responder:

  Source      IP/port: 10.110.10.3/21

  Destination IP/port: 200.1.1.10/1694

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Ten-GigabitEthernet3/1/1

State: TCP_ESTABLISHED

Application: FTP

Role: -

Failover group ID: -

Start time: 2012-08-15 14:53:29  TTL: 3597s

Initiator->Responder:            7 packets        308 bytes

Responder->Initiator:            5 packets        312 bytes

 

Total sessions found: 1

Example: Configuring NAT Server for external-to-internal access through domain name

Network configuration

As shown in Figure 11, Web server at 10.110.10.2/24 in the internal network provides services for external users. A DNS server at 10.110.10.3/24 is used to resolve the domain name of the Web server. The company has two public IP addresses: 202.38.1.2 and 202.38.1.3.

Configure NAT Server to allow external users to access the internal Web server by using the domain name.

Figure 11 Network diagram

‌

Analysis

To meet the network configuration requirements, you must perform the following tasks:

·     Configure NAT Server to map the private IP address and port of the DNS server to a public address and port. NAT Server allows the external host to access the internal DNS server for domain name resolution.

·     Enable ALG for DNS and configure outbound dynamic NAT to translate the private IP address of the Web server in the payload of the DNS response packet into a public IP address.

Procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure ACL 2001 to identify packets from subnet 10.110.10.0/24.

<Router> system-view

[Router] acl basic 2001

[Router-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Router-acl-ipv4-basic-2001] quit

# Configure a QoS policy to redirect packets matching ACL 2001 to the card in slot 2.

[Router] traffic classifier 1

[Router-classifier-1] if-match acl 2001

[Router-classifier-1] quit

[Router] traffic behavior 1

[Router-behavior-1] redirect slot 2

[Router-behavior-1] quit

[Router] qos policy 1

[Router-qospolicy-1] classifier 1 behavior 1

[Router-qospolicy-1] quit

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] qos apply policy 1 inbound

[Router-GigabitEthernet1/0/1] quit

# Enable NAT ALG for DNS.

[Router] nat alg dns

# Configure ACL 2000 to identify packets from 10.110.10.2.

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 10.110.10.2 0

[Router-acl-ipv4-basic-2000] quit

# Create address group 1.

[Router] nat address-group 1

# Add address 202.38.1.3 to the group.

[Router-address-group-1] address 202.38.1.3 202.38.1.3

[Router-address-group-1] quit

# Configure NAT Server on Ten-GigabitEthernet 3/1/2 to map the address 202.38.1.1 to 10.110.10.3. External users can access the internal DNS server.

[Router] interface ten-gigabitethernet 3/1/2

[Router-Ten-GigabitEthernet3/1/2] nat server protocol udp global 202.38.1.2 inside 10.110.10.3 dns

# Enable outbound NO-PAT on Ten-GigabitEthernet 3/1/2. Use the address in address group 1 to translate the private address in DNS response payload, and allow reversible NAT.

[Router-Ten-GigabitEthernet3/1/2] nat outbound 2000 address-group 1 no-pat reversible

# Specify slot 2 to process NAT traffic. The service card slot number varies by device hardware configuration.

[Router-Ten-GigabitEthernet3/1/2] nat service slot 2

[Router-Ten-GigabitEthernet3/1/2] quit

Verifying the configuration

# Verify that the host on the external network can access the internal Web server by using the server's domain name. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

 

NAT address group information:

  Totally 1 NAT address groups.

  Address group name/ID: 1/1

    Address information:

      Start address         End address

      202.38.1.3            202.38.1.3

 

NAT outbound information:

  Totally 1 NAT outbound rules.

  Interface: Ten-GigabitEthernet3/1/2

    ACL: 2000         Address group: 1      Port-preserved: N

    NO-PAT: Y         Reversible: Y

    Service card: Slot 2

    Config status: Active

 

NAT internal server information:

  Totally 1 internal servers.

  Interface: Ten-GigabitEthernet3/1/2

    Protocol: 17(UDP)

    Global IP/port: 202.38.1.2/53

    Local IP/port : 10.110.10.3/53

    Service card  : Slot 2

    Config status : Active

 

NAT logging:

  Log enable               : Disabled

  Flow-begin               : Disabled

  Flow-end                 : Disabled

  Flow-active              : Disabled

  Port-block-assign        : Disabled

  Port-block-withdraw      : Disabled

  Port-alloc-fail          : Enabled

  Port-block-alloc-fail    : Disabled

  Port-usage               : Disabled

  Port-block-usage         : Enabled(Threshold: 40%)

 

NAT mapping behavior:

  Mapping mode : Connection-Dependent

  ACL          : ---

  Config status: Active

 

NAT ALG:

  DNS        : Enabled

  FTP        : Enabled

  H323       : Disabled

  ICMP-ERROR : Enabled

  ILS        : Disabled

  MGCP       : Disabled

  NBT        : Disabled

  PPTP       : Disabled

  RTSP       : Enabled

  RSH        : Disabled

  SCCP       : Disabled

  SIP        : Disabled

  SQLNET     : Disabled

  TFTP       : Disabled

  XDMCP      : Disabled

# Display NAT session information generated when Host accesses Web server.

[Router] display nat session verbose

Initiator:

  Source      IP/port: 200.1.1.2/1694

  Destination IP/port: 202.38.1.3/8080

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Ten-GigabitEthernet3/1/2

Responder:

  Source      IP/port: 10.110.10.2/8080

  Destination IP/port: 202.1.1.2/1694

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Ten-GigabitEthernet3/1/1

State: TCP_ESTABLISHED

Application: HTTP

Role: -

Failover group ID: -

Start time: 2012-08-15 14:53:29  TTL: 3597s

Initiator->Responder:            7 packets        308 bytes

Responder->Initiator:            5 packets        312 bytes

 

Total sessions found: 1

Example: Configuring NAT hairpin in C/S mode

Network configuration

As shown in Figure 12, the internal FTP server at 192.168.1.4/24 provides services for internal and external users. The private network uses two public IP addresses 202.38.1.1 and 202.38.1.2.

Configure NAT hairpin in C/S mode to allow external and internal users to access the internal FTP server by using public IP address 202.38.1.2.

Figure 12 Network diagram

‌

Requirements analysis

To allow external hosts to access the internal FTP server by using a public IP address, configure NAT Server on the interface connected to the external network.

To allow internal hosts to access the internal FTP server by using a public IP address, perform the following tasks:

·     Enable NAT hairpin on the interface connected to the internal network.

·     Configure outbound NAT on the interface where the NAT server mapping is configured. The destination address is translated by matching the NAT server mapping. The source address is translated by matching the outbound NAT.

Procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure a QoS policy on the router to redirect traffic that needs NAT to the service card. (Details not shown.)

# Configure ACL 2000 to identify packets from subnet 192.168.1.0/24.

<Router> system-view

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Configure a NAT server mapping on Ten-GigabitEthernet 3/1/2 to map the IP address of the FTP server to a public address, allowing external users to access the internal FTP server.

[Router] interface ten-gigabitethernet 3/1/2

[Router-Ten-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.2 inside 192.168.1.4 ftp

# Enable outbound NAT with Easy IP on Ten-GigabitEthernet 3/1/2 so that NAT translates the source addresses of the packets from internal hosts into the IP address of Ten-GigabitEthernet 3/1/2.

[Router-Ten-GigabitEthernet3/1/2] nat outbound 2000

# Specify slot 2 to process NAT traffic on Ten-GigabitEthernet 3/1/2. The service card slot number varies by device hardware configuration.

[Router-Ten-GigabitEthernet3/1/2] nat service slot 2

[Router-Ten-GigabitEthernet3/1/2] quit

# Enable NAT hairpin on Ten-GigabitEthernet 3/1/1.

[Router] interface ten-gigabitethernet 3/1/1

[Router-Ten-GigabitEthernet3/1/1] nat hairpin enable

# Specify slot 2 to process NAT traffic on Ten-GigabitEthernet 3/1/1. The service card slot number varies by device hardware configuration.

[Router-Ten-GigabitEthernet3/1/1] nat service slot 2

[Router-Ten-GigabitEthernet3/1/1] quit

Verifying the configuration

# Verify that both internal and external hosts can access the internal FTP server through the public address. (Details not shown.)

# Display all NAT configuration and statistics.

[Router]display nat all

 

NAT outbound information:

  Totally 1 NAT outbound rules.

  Interface: Ten-GigabitEthernet3/1/2

    ACL: 2000         Address group: ---    Port-preserved: N

    NO-PAT: N         Reversible: N

    Service card: Slot 2

    Config status: Active

 

NAT internal server information:

  Totally 1 internal servers.

  Interface: Ten-GigabitEthernet3/1/2

    Protocol: 6(TCP)

    Global IP/port: 202.38.1.2/21

    Local IP/port : 192.168.1.4/21

    Service card  : Slot 2

    Config status : Active

 

NAT logging:

  Log enable               : Disabled

  Flow-begin               : Disabled

  Flow-end                 : Disabled

  Flow-active              : Disabled

  Port-block-assign        : Disabled

  Port-block-withdraw      : Disabled

  Port-alloc-fail          : Enabled

  Port-block-alloc-fail    : Disabled

  Port-usage               : Disabled

  Port-block-usage         : Enabled(Threshold: 40%)

 

NAT hairpinning:

  Totally 1 interfaces enabled with NAT hairpinning.

  Interface: Ten-GigabitEthernet3/1/1

    Service card : Slot 2

    Config status: Active

 

NAT mapping behavior:

  Mapping mode : Connection-Dependent

  ACL          : ---

  Config status: Active

 

NAT ALG:

  DNS        : Disabled

  FTP        : Enabled

  H323       : Disabled

  ICMP-ERROR : Enabled

  ILS        : Disabled

  MGCP       : Disabled

  NBT        : Disabled

  PPTP       : Disabled

  RTSP       : Enabled

  RSH        : Disabled

  SCCP       : Disabled

  SIP        : Disabled

  SQLNET     : Disabled

  TFTP       : Disabled

  XDMCP      : Disabled

# Display NAT session information generated when Host A accesses the FTP server.

[Router] display nat session verbose

Initiator:

  Source      IP/port: 192.168.1.2/1694

  Destination IP/port: 202.38.1.2/21

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Ten-GigabitEthernet3/1/1

Responder:

  Source      IP/port: 192.168.1.4/21

  Destination IP/port: 202.38.1.1/1025

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Ten-GigabitEthernet3/1/1

State: TCP_ESTABLISHED

Application: FTP

Role: -

Failover group ID: -

Start time: 2012-08-15 14:53:29  TTL: 3597s

Initiator->Responder:            7 packets        308 bytes

Responder->Initiator:            5 packets        312 bytes

 

Total sessions found: 1

Example: Configuring load sharing NAT Server

Network configuration

As shown in Figure 13, three FTP servers are in the intranet to provide FTP services for external users. Configure NAT so that these external users use the address 202.38.1.1/16 to access the servers and the three FTP servers implement load sharing.

Figure 13 Network diagram

‌

Procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure ACL 2001 to identify packets from subnet 10.110.10.0/24.

<Router> system-view

[Router] acl basic 2001

[Router-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Router-acl-ipv4-basic-2001] quit

# Configure a QoS policy to redirect packets matching ACL 2001 to the card in slot 2.

[Router] traffic classifier 1

[Router-classifier-1] if-match acl 2001

[Router-classifier-1] quit

[Router] traffic behavior 1

[Router-behavior-1] redirect slot 2

[Router-behavior-1] quit

[Router] qos policy 1

[Router-qospolicy-1] classifier 1 behavior 1

[Router-qospolicy-1] quit

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] qos apply policy 1 inbound

[Router-GigabitEthernet1/0/1] quit

# Create NAT Server group 0, and add members to the group.

[Router] nat server-group 0

[Router-nat-server-group-0] inside ip 10.110.10.1 port 21

[Router-nat-server-group-0] inside ip 10.110.10.2 port 21

[Router-nat-server-group-0] inside ip 10.110.10.3 port 21

[Router-nat-server-group-0] quit

# Associate NAT Server group 0 with Ten-GigabitEthernet 3/1/2 so that servers in the server group can provide FTP services.

[Router] interface ten-gigabitethernet 3/1/2

[Router-Ten-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.1 ftp inside server-group 0

# Specify slot 2 to process NAT traffic. The service card slot number varies by device hardware configuration.

[Router-Ten-GigabitEthernet3/1/2] nat service slot 2

[Router-Ten-GigabitEthernet3/1/2] quit

Verifying the configuration

# Verify that external hosts can access the internal FTP server group. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

 

NAT server group information:

  Totally 1 NAT server groups.

  Group Number      Inside IP             Port    Weight

  0                 10.110.10.1           21      100

                    10.110.10.2           21      100

                    10.110.10.3           21      100

 

NAT internal server information:

  Totally 1 internal servers.

  Interface: Ten-GigabitEthernet3/1/2

    Protocol: 6(TCP)

    Global IP/port: 202.38.1.1/21

    Local IP/port : server group 0

                    10.110.10.1/21         (Connections: 1)

                    10.110.10.2/21         (Connections: 2)

                    10.110.10.3/21         (Connections: 2)

    Service card  : Slot 2

    Config status : Active

 

NAT logging:

  Log enable               : Disabled

  Flow-begin               : Disabled

  Flow-end                 : Disabled

  Flow-active              : Disabled

  Port-block-assign        : Disabled

  Port-block-withdraw      : Disabled

  Port-alloc-fail          : Enabled

  Port-block-alloc-fail    : Disabled

  Port-usage               : Disabled

  Port-block-usage         : Enabled(Threshold: 40%)

 

NAT mapping behavior:

  Mapping mode : Connection-Dependent

  ACL          : ---

  Config status: Active

 

NAT ALG:

  DNS        : Disabled

  FTP        : Enabled

  H323       : Disabled

  ICMP-ERROR : Enabled

  ILS        : Disabled

  MGCP       : Disabled

  NBT        : Disabled

  PPTP       : Disabled

  RTSP       : Enabled

  RSH        : Disabled

  SCCP       : Disabled

  SIP        : Disabled

  SQLNET     : Disabled

  TFTP       : Disabled

  XDMCP      : Disabled

# Display NAT session information generated when external hosts access an internal FTP server.

[Router] display nat session verbose

Initiator:

  Source      IP/port: 200.1.1.10/53957

  Destination IP/port: 202.38.1.1/21

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Ten-GigabitEthernet3/1/2

Responder:

  Source      IP/port: 10.110.10.3/21

  Destination IP/port: 200.1.1.10/53957

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/VLL ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Ten-GigabitEthernet3/1/1

State: TCP_ESTABLISHED

Application: FTP

Role: -

Failover group ID: -

Start time: 2012-08-16 11:06:07  TTL: 26s

Initiator->Responder:            1 packets         60 bytes

Responder->Initiator:            2 packets        120 bytes

 

Total sessions found: 1

Example: Configuring NAT DNS mapping

Network configuration

As shown in Figure 14, the internal Web server at 10.110.10.1/16 and FTP server at 10.110.10.2/16 provide services for external user. The company has three public addresses 202.38.1.1 through 202.38.1.3. The DNS server at 202.38.1.4 is on the external network.

Configure NAT so that:

·     The public IP address 202.38.1.2 is used by external users to access the Web and FTP servers.

·     External users can use the public address or domain name of internal servers to access them.

·     Internal users can access the internal servers by using their domain names.

Figure 14 Network diagram

‌

Requirements analysis

To meet the network requirements, perform the following tasks:

·     Configure NAT Server by mapping the public IP addresses and port numbers of the internal servers to a public address and port numbers so that external users can access the internal servers.

·     Configure NAT DNS mapping and ALG so that the public IP address of the internal server in the payload of the DNS response packet can be translated to the private IP address.

Procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure ACL 2001 to identify packets from subnet 10.110.10.0/24.

<Router> system-view

[Router] acl basic 2001

[Router-acl-ipv4-basic-2001] rule permit source 10.110.10.0 0.0.0.255

[Router-acl-ipv4-basic-2001] quit

# Configure a QoS policy to redirect packets matching ACL 2001 to the card in slot 2.

[Router] traffic classifier 1

[Router-classifier-1] if-match acl 2001

[Router-classifier-1] quit

[Router] traffic behavior 1

[Router-behavior-1] redirect slot 2

[Router-behavior-1] quit

[Router] qos policy 1

[Router-qospolicy-1] classifier 1 behavior 1

[Router-qospolicy-1] quit

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] qos apply policy 1 inbound

[Router-GigabitEthernet1/0/1] quit

# Enable NAT ALG for DNS.

[Router] nat alg dns

# Enter interface view of Ten-GigabitEthernet 3/1/2.

[Router] interface ten-gigabitethernet 3/1/2

# Configure NAT Server to allow external hosts to access the internal Web server by using the address 202.38.1.2.

[Router-Ten-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.2 inside 10.110.10.1 http

# Configure NAT Server to allow external hosts to access the internal FTP server by using the address 202.38.1.2.

[Router-Ten-GigabitEthernet3/1/2] nat server protocol tcp global 202.38.1.2 inside 10.110.10.2 ftp

# Enable outbound NAT with Easy IP on Ten-GigabitEthernet 3/1/2.

[Router-Ten-GigabitEthernet3/1/2] nat outbound

# Specify slot 2 to process NAT traffic. The service card slot number varies by device hardware configuration.

[Router-Ten-GigabitEthernet3/1/2] nat service slot 2

[Router-Ten-GigabitEthernet3/1/2] quit

# Configure two NAT DNS mapping entries by mapping the domain name www.example.com of the Web server to 202.38.1.2, and ftp.example.com of the FTP server to 202.38.1.2.

[Router] nat dns-map domain www.example.com protocol tcp ip 202.38.1.2 port http

[Router] nat dns-map domain ftp.example.com protocol tcp ip 202.38.1.2 port ftp

Verifying the configuration

# Verify that both internal and external hosts can access the internal servers by using domain names. (Details not shown.)

# Display all NAT configuration and statistics.

[Router] display nat all

 

NAT outbound information:

  Totally 1 NAT outbound rules.

  Interface: Ten-GigabitEthernet3/1/2

    ACL: ---          Address group: ---    Port-preserved: N

    NO-PAT: N         Reversible: N

    Service card: Slot 2

    Config status: Active

 

NAT internal server information:

  Totally 2 internal servers.

  Interface: Ten-GigabitEthernet3/1/2

    Protocol: 6(TCP)

    Global IP/port: 202.38.1.2/21

    Local IP/port : 10.110.10.2/21

    Service card  : Slot 2

    Config status : Active

 

  Interface: Ten-GigabitEthernet3/1/2

    Protocol: 6(TCP)

    Global IP/port: 202.38.1.2/80

    Local IP/port : 10.110.10.1/80

    Service card  : Slot 2

    Config status : Active

 

NAT DNS mapping information:

  Totally 2 NAT DNS mappings.

  Domain name: ftp.example.com

  Global IP  : 202.38.1.2

  Global port: 21

  Protocol   : TCP(6)

  Config status: Active

 

  Domain name: www.example.com

  Global IP  : 202.38.1.2

  Global port: 80

  Protocol   : TCP(6)

  Config status: Active

 

NAT logging:

  Log enable               : Disabled

  Flow-begin               : Disabled

  Flow-end                 : Disabled

  Flow-active              : Disabled

  Port-block-assign        : Disabled

  Port-block-withdraw      : Disabled

  Port-alloc-fail          : Enabled

  Port-block-alloc-fail    : Disabled

  Port-usage               : Disabled

  Port-block-usage         : Enabled(Threshold: 40%)

 

NAT mapping behavior:

  Mapping mode : Connection-Dependent

  ACL          : ---

  Config status: Active

 

NAT ALG:

  DNS        : Enabled

  FTP        : Enabled

  H323       : Disabled

  ICMP-ERROR : Enabled

  ILS        : Disabled

  MGCP       : Disabled

  NBT        : Disabled

  PPTP       : Disabled

  RTSP       : Enabled

  RSH        : Disabled

  SCCP       : Disabled

  SIP        : Disabled

  SQLNET     : Disabled

  TFTP       : Disabled

  XDMCP      : Disabled

Example: Configuring NAT log export to the information center

Network configuration

As shown in Figure 15, configure NAT on the device for the internal host to access the Internet. Configure NAT logging on the device and configure the device to export the NAT logs to the information center. The NAT logs in the information center are used for monitoring the internal host.

Figure 15 Network diagram

‌

Prerequisites

Assign IP addresses to interfaces on the device and make sure the device and the host can reach each other.

Procedure

# Specify the information center as the destination for flow log export.

<Device> system-view

[Device] userlog flow syslog

# Enable NAT logging.

[Device] nat log enable

# Enable logging for NAT session establishment events.

[Device] nat log flow-begin

# Enable logging for NAT session removal events.

[Device] nat log flow-end

# Enable logging for active NAT flows and set the logging interval to 10 minutes.

[Device] nat log flow-active 10

[Device] quit

Verifying the configuration

# Display the internal host's access records in the log buffer.

Directory of cf:/

  38 -rw-         141 Aug 07 2015 17:54:43   ifindex.dat

  39 drw-           - May 20 2015 14:36:20   logfile

249852 KB total (232072 KB free)

 

File system type of cf: FAT32

 

<Device> cd logfile

<Device> dir

<Device> more logfile.log

…

%Aug 10 20:06:30:182 2015 Device NAT/6/NAT_FLOW: Protocol(1001)=ICMP;SrcIPAd

dr(1003)=10.110.10.8;SrcPort(1004)=259;NatSrcIPAddr(1005)=202.38.1.100;NatSrcPor

t(1006)=0;DstIPAddr(1007)=202.38.1.2;DstPort(1008)=2048;NatDstIPAddr(1009)=202.3

8.1.2;NatDstPort(1010)=259;InitPktCount(1044)=0;InitByteCount(1046)=0;RplyPktCou

nt(1045)=0;RplyByteCount(1047)=0;RcvVPNInstance(1042)=;SndVPNInstance(1043)=;Rcv

DSLiteTunnelPeer(1040)=;SndDSLiteTunnelPeer(1041)=;BeginTime_e(1013)=08102015200

630; EndTime_e(1014)=08102015200700;Event(1048)=(8)Session created;

…

Table 1 Command output

Field	Description
Protocol(1001)=ICMP	Protocol type.
SrcIPAddr(1003)=10.110.10.8	Source IP address before NAT.
SrcPort(1004)=259	Source TCP or UDP port before NAT.
NatSrcIPAddr(1005)=202.38.1.100	Source IP address after NAT.
NatSrcPort(1006)=0	Source TCP or UDP port after NAT.
DstIPAddr(1007)=202.38.1.2	Destination IP address before NAT.
DstPort(1008)=2048	Destination TCP or UDP port before NAT.
NatDstIPAddr(1009)=202.38.1.2	Destination IP address after NAT.
NatDstPort(1010)=259	Destination TCP or UDP port after NAT.
BeginTime_e(1013)=08102015200630	Start time of the flow, in the MMDDYYYYHHMMSS format.
EndTime_e(1014)=08102015200700	End time of the flow, in the MMDDYYYYHHMMSS format.

‌

Example: Configuring NAT log export to the log server

Network configuration

As shown in Figure 16, configure the device to export the NAT logs to the log server. The NAT logs in the log server are used for monitoring the internal user.

Figure 16 Network diagram

‌

Prerequisites

Assign IP addresses to interfaces on the device. Make sure the routes between the device and the user and between the device and the log server are reachable.

Procedure

# Enable NAT logging.

<Device> system-view

[Device] nat log enable

# Enable logging for NAT session establishment events.

[Device] nat log flow-begin

# Enable logging for NAT session removal events.

[Device] nat log flow-end

# Enable logging for active NAT flows and set the logging interval to 10 minutes.

[Device] nat log flow-active 10

# Set the flow log version to 3.0.

[Device] userlog flow export version 3

# Export flow log entries to port 2000 on the log host at 1.2.3.6.

[Device] userlog flow export host 1.2.3.6 port 2000

# Specify 2.2.2.2 as the source IP address for flow log packets.

[Device] userlog flow export source-ip 2.2.2.2

[Device] quit

Verifying the configuration

# Display the flow log configuration and statistics.

<Device> display userlog export

Flow:

  Export flow log as UDP Packet.

  Version: 3.0

  Source ipv4 address: 2.2.2.2

  Source ipv6 address:

  Log load balance function: Disabled

  Local time stamp: Disabled

  Number of log hosts: 1

 

  Log host 1:

    Host/Port: 1.2.3.6/2000

    Total logs/UDP packets exported: 112/87